Four vulnerabilities altogether they were discovered at Symantec Data Center Security: Server Advanced (SDCS:SA). Vulnerabilities allow a potential attacker to bypass policies protectionof the customer and gain access to the system and database.
Security issues include the ability to import SQL (SQL injection), cross-site scripting (XSS), disclosure of information and bypassing protection policy.
Stefan Viehbock, security researcher at the SEC Consult Vulnerability Lab, discovered the vulnerabilities and reported them to Symantec at 20 October, 2014.
According to one its publication on Thursday, with the SQL injection, which states as CVE-2014-7289, an attacker could send SQL commands and run because of invalid input invalidation which allows read / write access to any record being available in a database .
During the duration of his research, Viehbock was able to add a new user with admin privileges to SDCS:SA.
By exploiting the XSS glitch (CVE-2014-9224) the researcher stated that an attacker could steal a user's session, and gain access to the admin interface without permission.
With the third vulnerability (CVE-2014-9225), an attacker could benefit from accessing an unprotected script (https: //: 8081 / webui / admin / environment.jsp) containing internal details about requests to the server , such as file paths on the server and version information (OS, Java).
The fourth vulnerability discovered by Viehbock is referred to as CVE-2014-9226, and if utilized, it can override pre-selected security policies and bypass SDCS: SA client.
Symantec has already released patches, but only for SCSP products 5.2.9 MP6 and SDCS: SA 6.0 MP1.
